From 21971b28bcee9427989d4bfaf97510ea87b3ea86 Mon Sep 17 00:00:00 2001 From: csteipp Date: Thu, 30 Aug 2012 20:40:19 -0700 Subject: [PATCH] (bug 39700) Add htmlspecialchars encoding to label Adds htmlspecialchars encoding to the link label, passed into Linker::makeBrokenImageLinkObj. This fixes a stored XSS (HTML injection) vulnerability. * Released as part of 1.20wmf10, 1.19.2, 1.18.5 Change-Id: I0e5f9eeb1f3561b1354aecced74f68ae2fa20dfa --- includes/Linker.php | 24 ++++++++++++------------ tests/parser/parserTests.txt | 15 +++++++++++++++ 2 files changed, 27 insertions(+), 12 deletions(-) diff --git a/includes/Linker.php b/includes/Linker.php index 7aba444050..8e31a1cf76 100644 --- a/includes/Linker.php +++ b/includes/Linker.php @@ -865,31 +865,31 @@ class Linker { * Make a "broken" link to an image * * @param $title Title object - * @param $html String: link label in htmlescaped text form + * @param $label String: link label (plain text) * @param $query String: query string - * @param $trail String: link trail (HTML fragment) - * @param $prefix String: link prefix (HTML fragment) + * @param $unused1 Unused parameter kept for b/c + * @param $unused2 Unused parameter kept for b/c * @param $time Boolean: a file of a certain timestamp was requested * @return String */ - public static function makeBrokenImageLinkObj( $title, $html = '', $query = '', $trail = '', $prefix = '', $time = false ) { + public static function makeBrokenImageLinkObj( $title, $label = '', $query = '', $unused1 = '', $unused2 = '', $time = false ) { global $wgEnableUploads, $wgUploadMissingFileUrl, $wgUploadNavigationUrl; if ( ! $title instanceof Title ) { - return "{$prefix}{$html}{$trail}"; + return "" . htmlspecialchars( $label ); } wfProfileIn( __METHOD__ ); + if ( $label == '' ) { + $label = $title->getPrefixedText(); + } + $encLabel = htmlspecialchars( $label ); $currentExists = $time ? ( wfFindFile( $title ) != false ) : false; - list( $inside, $trail ) = self::splitTrail( $trail ); - if ( $html == '' ) - $html = htmlspecialchars( $title->getPrefixedText() ); - if ( ( $wgUploadMissingFileUrl || $wgUploadNavigationUrl || $wgEnableUploads ) && !$currentExists ) { $redir = RepoGroup::singleton()->getLocalRepo()->checkRedirect( $title ); if ( $redir ) { wfProfileOut( __METHOD__ ); - return self::linkKnown( $title, "$prefix$html$inside", array(), wfCgiToArray( $query ) ) . $trail; + return self::linkKnown( $title, $encLabel, array(), wfCgiToArray( $query ) ); } $href = self::getUploadUrl( $title, $query ); @@ -897,10 +897,10 @@ class Linker { wfProfileOut( __METHOD__ ); return '' . - "$prefix$html$inside$trail"; + $encLabel . ''; } else { wfProfileOut( __METHOD__ ); - return self::linkKnown( $title, "$prefix$html$inside", array(), wfCgiToArray( $query ) ) . $trail; + return self::linkKnown( $title, $encLabel, array(), wfCgiToArray( $query ) ); } } diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt index 5036268e95..453e88a86f 100644 --- a/tests/parser/parserTests.txt +++ b/tests/parser/parserTests.txt @@ -2442,6 +2442,21 @@ Link with double quotes in title part (literal) and alternate part (interpreted)

!! end +!! test +Broken image links with HTML captions (bug 39700) +!! input +[[File:Nonexistent|]] +[[File:Nonexistent|100px|]] +[[File:Nonexistent|<]] +[[File:Nonexistent|abc]] +!! result +

<script></script> +<script></script> +< +abc +

+!! end + !! test Plain link to URL !! input -- 2.20.1